Merge pull request #37919 from nextcloud/backport/stable25/sso-kerberos-fix

blizzz · web-flow · commit 6251c8be3c99 · 2023-04-26T09:05:50.000+02:00
[stable25] Update kerberos sso test setup to use new user_saml config system
diff --git a/.github/workflows/smb-kerberos.yml b/.github/workflows/smb-kerberos.yml
@@ -5,10 +5,12 @@ on:
       - master
       - stable*
     paths:
-      - 'apps/files_external/**'
+      - "apps/files_external/**"
+      - ".github/workflows/smb-kerberos.yml"
   pull_request:
     paths:
-      - 'apps/files_external/**'
+      - "apps/files_external/**"
+      - ".github/workflows/smb-kerberos.yml"
 
 jobs:
   smb-kerberos-tests:
@@ -19,9 +21,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php-versions: ['7.4', '8.0']
+        php-versions: ["7.4", "8.0"]
 
-    name: php${{ matrix.php-versions }}-${{ matrix.ftpd }}
+    name: smb-kerberos-sso
 
     steps:
       - name: Checkout server
@@ -35,9 +37,12 @@ jobs:
           docker pull icewind1991/samba-krb-test-client
       - name: Setup AD-DC
         run: |
+          cp apps/files_external/tests/*.sh .
           mkdir data
           sudo chown -R 33 data apps config
-          apps/files_external/tests/setup-krb.sh
+          DC_IP=$(./start-dc.sh)
+          ./start-apache.sh $DC_IP $PWD
+          echo "DC_IP=$DC_IP" >> $GITHUB_ENV
       - name: Set up Nextcloud
         run: |
           docker exec --user 33 apache ./occ maintenance:install --verbose --database=sqlite --database-name=nextcloud --database-host=127.0.0.1 --database-user=root --database-pass=rootpassword --admin-user admin --admin-pass password
@@ -46,7 +51,8 @@ jobs:
           # setup user_saml
           docker exec --user 33 apache ./occ app:enable user_saml --force
           docker exec --user 33 apache ./occ config:app:set user_saml type --value 'environment-variable'
-          docker exec --user 33 apache ./occ config:app:set user_saml general-uid_mapping --value REMOTE_USER
+          docker exec --user 33 apache ./occ saml:config:create
+          docker exec --user 33 apache ./occ saml:config:set 1 --general-uid_mapping=REMOTE_USER
 
           # setup external storage
           docker exec --user 33 apache ./occ app:enable files_external --force
@@ -56,19 +62,16 @@ jobs:
           docker exec --user 33 apache ./occ files_external:list
       - name: Test SSO
         run: |
-          mkdir cookies
-          chmod 0777 cookies
+          mkdir /tmp/shared/cookies
+          chmod 0777 /tmp/shared/cookies
 
-          DC_IP=$(docker inspect dc --format '{{.NetworkSettings.IPAddress}}')
-          docker run --rm --name client -v $PWD/cookies:/cookies -v /tmp/shared:/shared --dns $DC_IP --hostname client.domain.test icewind1991/samba-krb-test-client \
-            curl -c /cookies/jar -s --negotiate -u testuser@DOMAIN.TEST: --delegation always http://httpd.domain.test/index.php/apps/user_saml/saml/login
-          CONTENT=$(docker run --rm --name client -v $PWD/cookies:/cookies -v /tmp/shared:/shared --dns $DC_IP --hostname client.domain.test icewind1991/samba-krb-test-client \
-            curl -b /cookies/jar -s --negotiate -u testuser@DOMAIN.TEST: --delegation always http://httpd.domain.test/remote.php/webdav/smb/test.txt)
-          echo $CONTENT
-          CONTENT=$(echo $CONTENT | tr -d '[:space:]')
+          echo "SAML login"
+          ./client-cmd.sh ${{ env.DC_IP }} curl -c /shared/cookies/jar -s --negotiate -u testuser@DOMAIN.TEST: --delegation always http://httpd.domain.test/index.php/apps/user_saml/saml/login
+          echo "Check we are logged in"
+          CONTENT=$(./client-cmd.sh ${{ env.DC_IP }} curl -b /shared/cookies/jar -s --negotiate -u testuser@DOMAIN.TEST: --delegation always http://httpd.domain.test/remote.php/webdav/smb/test.txt)
+          CONTENT=$(echo $CONTENT | head -n 1 | tr -d '[:space:]')
           [[ $CONTENT == "testfile" ]]
 
-
   smb-kerberos-summary:
     runs-on: ubuntu-latest
     needs: smb-kerberos-tests
diff --git a/apps/files_external/tests/client-cmd.sh b/apps/files_external/tests/client-cmd.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+DC_IP=$1
+shift
+
+docker run --rm --name client -v /tmp/shared:/shared --dns $DC_IP --hostname client.domain.test icewind1991/samba-krb-test-client $@
diff --git a/apps/files_external/tests/setup-krb.sh b/apps/files_external/tests/setup-krb.sh
diff --git a/apps/files_external/tests/start-apache.sh b/apps/files_external/tests/start-apache.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+docker rm -f apache 2>/dev/null > /dev/null
+
+docker run -d --name apache -v $2:/var/www/html -v /tmp/shared:/shared --dns $1 --hostname httpd.domain.test icewind1991/samba-krb-test-apache 1>&2
+APACHE_IP=$(docker inspect apache --format '{{.NetworkSettings.IPAddress}}')
+
+# add the dns record for apache
+docker exec dc samba-tool dns add krb.domain.test domain.test httpd A $APACHE_IP -U administrator --password=passwOrd1 1>&2
+
+echo $APACHE_IP
diff --git a/apps/files_external/tests/start-dc.sh b/apps/files_external/tests/start-dc.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+function getContainerHealth {
+  docker inspect --format "{{.State.Health.Status}}" $1
+}
+
+function waitContainer {
+  while STATUS=$(getContainerHealth $1); [ $STATUS != "healthy" ]; do
+    if [ $STATUS == "unhealthy" ]; then
+      echo "Failed!" 1>&2
+      exit -1
+    fi
+    printf . 1>&2
+    lf=$'\n'
+    sleep 1
+  done
+  printf "$lf" 1>&2
+}
+
+docker rm -f dc 2>/dev/null > /dev/null
+
+mkdir -p /tmp/shared
+
+# start the dc
+docker run -dit --name dc -v /tmp/shared:/shared --hostname krb.domain.test --cap-add SYS_ADMIN icewind1991/samba-krb-test-dc 1>&2
+
+waitContainer dc
+
+docker inspect dc --format '{{.NetworkSettings.IPAddress}}'
